We take a look at a bad week so far for UK information and data protection…
Data Privacy and Information Security has always been important to organisations but its prominence is increasing both through the drive from UK government to establish and effectively mandate a minimum level baseline through initiatives like Cyber Essentials and through the publicity which often accompanies incidents or breaches. (The Carphone Warehouse story was page 5 of Sunday times, not buried away at page 30 and local Councils have been ITV and BBC headline news with the top 10 by number of breaches listed on the BBC website).
Even the more detailed and robust international standards which support cyber, data and information security such as ISO27001, 27005, CobIT, NIST, PCI DSS etc. are only as good as the manner in which they are implemented and more importantly, the way they are:
- Embedded within the organisation’s operational culture,
- Evolved over time as the organisation changes (for example reflecting changes to organisational structure, focus, objectives and threats); and
- Evolved over time as the potential external threats and vulnerabilities facing the organisation change.
Many of the more publicised breaches are happening to large and high profile organisations who will be expected to be aware of the need for information security..In our experience, we often find that the difference may be found in looking at those who are able to use information security, data privacy and cyber security best practice as a “way of life”, (with processes which are able to change as the organisation and the threats which face it evolve), and as a consequence create an effective and appropriate framework which unobtrusively enables the organisation and its people to operate in a business as usual manner which is secure by design. It should be noted that many factors can affect an organisation’s capability to operate in this way including available resources both financial and human, so it is not necessarily a reflection of an organisations’ culture or attitude towards information security if they are not.
With the previously mentioned operational considerations to account for, being able to ensure that cyber security frameworks are robust and preventative whilst still empowering the business can be a delicate balancing act. To add to this more and more organisations are starting to recognise the potential reputational damage that a breach can cause.
Even if you have some level of incident response plan in place, as it appears Carphone Warehouse did, that reputational damage can be difficult to recover from so it is vital that organisations take steps to ensure that the appropriate controls are in place and embedded within the culture of the company.
Prevent rather than React
Through our work with a number of well-known organisations in the public and private sector we see more organisations now than ever before seeking to build in “cyber security or privacy by design” i.e. cyber security and data privacy measures that they can evolve – and that will evolve with them – so that maintenance and improvement is simply a Business as Usual activity.
Information Security, Cyber Security and Privacy by design can be maintained, for example, through public sector organisations implementing risk and impact assessment, risk reduction and prevention processes and frameworks for end to end programmes which:
- reflect their diverse ecosystem; and
- in some cases result in changes to legislation to reflect changes in privacy and security needs
A particularly relevant example of the latter can be found in work we recently carried out to conduct a Privacy Impact Assessment for the Department of Communications, Energy and Natural Resources in Ireland for an end to end programme, which can be found here.
Alternatively, it could be through private sector organisations taking a different and more pro-active approach to the way that they create their Information Security, Cybersecurity and Data Privacy frameworks, seeking to go the extra mile to bring the business on-board and positively affect the culture to increase the value of the Cyber Security controls they have in place and reduce their risk or breach. Implementing such frameworks in a way that the whole business buys into is becoming increasingly important as the number of organisations that suffer staff related breaches, albeit through well-meaning inadvertent human error, are increasing year on year.
Our consultants all have genuine real world Information Technology, Information Assurance and Information Security implementation and leadership experience and because we look at and understand the people and processes aspect of cyber security, combined with technology, we help our clients to prevent attacks happening, mitigate against damage and reduce risks.